The QUOTENAME
function will make sure your variable is treated as a "valid SQL Server delimited identifier".
It is then up to you to decide if the table given is one they should be allowed to delete. Maybe with SQL permissions on the table or a whitelist of tables that can be deleted...